Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ShyLionCy
New Contributor

log filter logid range

Hello. I'd like to set up log filter with ids range, like:

 

config log syslogd2 filter
    set forward-traffic disable
    set local-traffic disable
    set multicast-traffic disable
    set sniffer-traffic disable
    set voip disable
    set filter "logid(0100000000-0100999999)"
end

 


it gets into config, but does not work, nothing coming to syslog with that filter

FortiOs Version 6.4.8, device FG1800F

Is there a solution to this?

6 REPLIES 6
xsilver_FTNT
Staff
Staff

Hello,

what is expected content of those filtered logs ?

 

I'm not sure there are any Event type messages with Subtype 00.

I'd suggest to have a look into following resources to fine tune filter.


Log Schema Structure
https://docs.fortinet.com/document/fortigate/6.4.8/fortios-log-message-reference/738142/log-schema-s...

 

And to Log ID numbers 
https://docs.fortinet.com/document/fortigate/6.4.8/fortios-log-message-reference/84948/log-messages

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

ShyLionCy

event: 1

system: 0

 

There are plenty of them. Like system config change, performance stats, DHCP messages.

 

Example:

 

Apr 13 10:55:12 10.96.62.113 date=2022-04-13 time=10:55:12 devname="red-fg1800-02" devid="FG180Fcut" eventtime=1649829312344813014 tz="+0000" logid="0100044547" type="event" subtype="system" level="information" vd="root" logdesc="Object attribute configured" user="cut" ui="ha_daemon" action="Add" cfgtid=480584558 cfgpath="vpn.ssl.web.portal:bookmark-group:bookmarks" cfgobj="forticlient:gui-bookmarks:Cut" cfgattr="url[https://some.uri/]" msg="Add vpn.ssl.web.portal:bookmark-group:bookmarks forticlient:gui-bookmarks:Cut"
xsilver_FTNT
Staff
Staff

stupid question .. is syslogd2 enabled ?
Because default is disabled:

config log syslogd2 setting
set status disable
end

 

If it is, then I'd start sniffer to see if there are any syslog messages sent out on wire.
That'd be my next step.

Then basically those will be following steps.

If messages are going out from FortiGate, but not received on syslog server, then:

- any firewall on the way ?

- any firewall on the server itself ?

- anything in traffic sniffer (like Wireshark or tcpdump) on server itself to check if message came in on wire ?

- any rules on syslog server itself to discard messages, so anything in server log ?

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

ShyLionCy


@xsilver_FTNT wrote:

stupid question .. is syslogd2 enabled ?
Because default is disabled:

config log syslogd2 setting
set status disable
end

 

If it is, then I'd start sniffer to see if there are any syslog messages sent out on wire.
That'd be my next step.

Then basically those will be following steps.

If messages are going out from FortiGate, but not received on syslog server, then:

- any firewall on the way ?

- any firewall on the server itself ?

- anything in traffic sniffer (like Wireshark or tcpdump) on server itself to check if message came in on wire ?

- any rules on syslog server itself to discard messages, so anything in server log ?

stupid question .. is syslogd2 enabled ?

 


Where do you think i got those example? :)

I just skipped rest of the config.

 

If i choose exact logid's as in documentation examples, everything works.

I'm just experimenting and tried to put range into config, which is NOT documented.

Surprisingly it saved into config but does not work. Not saying it actually should.

xsilver_FTNT

Well I see explicitly stated that expected is a list of IDs. Not a range.
Fine, CLI might validate that and issue an error. But CLI inline "?" help states it clearly as a list.

 

camille-esx02 (filter) # set filter
Please input the logid list or level (or both) as filters.
[logid(...)] [traffic-level(...)] [event-level(...)] [virus-level(...)] [webfilter-level(...)] [ips-level(...)] [emailfilter-level(...)] [anomaly-level(...)] [voip-level(...)] [dlp-level(...)] [app-ctrl-level(...)] [waf-level(...)] [gtp-level(...)] [dns-level(...)] [ssh-level(...)] [ssl-level(...)] [cifs-level(...)] [file-filter-level(...)] [icap-level(...)]
See the following 2 examples.
example 1
set filter "logid(40704,32042)"
example 2
set filter "event-level(information)"
The available levels are as the following:
emergency,alert,critical,error,warning,notice,information,debug

 

Therefore "not documented => not supported", I would say.

Ger in contact with sales rep. to discuss and possibly get that pushed to Fortinet's R&D should you need that. So it might, but also might not, get implemented in future.

 

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

ShyLionCy
New Contributor

Not a big deal, after all. But could be better.


Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors